MFA Fatigue: How Attackers Are Exploiting Push Notifications

Multi-Factor Authentication (MFA) has long been hailed as a cybersecurity essential, the digital lock that prevents attackers from accessing our accounts even if they steal our passwords. By requiring a second verification step, such as a code from an authenticator app or a push notification to a smartphone, MFA provides a crucial layer of defense. However, a new and insidious threat is exploiting the very system designed to protect us: MFA fatigue.

MFA fatigue attacks, sometimes called “MFA bombing,” are a form of social engineering where attackers relentlessly spam a target with push notifications requesting login approval. These notifications are often triggered by a bot attempting to log in to the user’s account using stolen credentials. The goal is simple: to overwhelm the user with constant, disruptive alerts until, out of sheer frustration and a desire for the notifications to stop, they finally hit “approve.”

This isn’t a theoretical threat; it’s a real-world problem with costly consequences. A prominent example is the breach of a major ride-sharing company, where an attacker reportedly targeted an employee with repeated MFA requests. The employee, exhausted by the non-stop notifications, eventually approved one of the prompts, mistakenly believing it was legitimate or simply hoping to make the notifications stop. This single action was all it took for the attacker to breach the company’s defenses.

Why Is MFA Fatigue So Effective?

The success of these attacks hinges on human psychology and the inherent weaknesses of traditional push-based MFA.

• Interruptive Nature: Push notifications are designed to grab our attention and demand an immediate response. This interruptive nature can be a double-edged sword, as it can condition users to reflexively approve prompts to clear their screens.
• Cognitive Overload: When faced with a constant barrage of alerts, our cognitive load increases. The “fight or flight” response can kick in, and the user’s primary goal becomes stopping the annoyance, often at the expense of careful consideration.
• Reliance on a Single Action: Basic push notifications often require only a single tap to approve. This lack of friction, while convenient for legitimate use, makes it dangerously easy for a frustrated user to make a mistake.
• Social Engineering: Attackers are adept at exploiting human error. They know that users are often distracted, tired, or simply not paying close attention. They count on the fact that an unexpected login prompt might be mistaken for a legitimate one, especially if it appears among dozens of others.

Fighting Back: How to Stop the Spam

Fortunately, organizations and individuals are not powerless against MFA fatigue. The solution lies in moving beyond basic push notifications and adopting more secure authentication methods.

1. Switch to Number Matching: One of the most effective countermeasures is implementing number matching. Instead of a simple “Approve/Deny” prompt, the user is shown a two-digit or three-digit number on their login screen. They must then enter this specific number into their authenticator app to approve the request. This simple change forces the user to actively verify the login attempt and prevents accidental approvals.
2. Embrace FIDO2 Hardware Keys (for enterprise and highly sensitive accounts): For the highest level of security and a near-total defense against these attacks, FIDO2-compliant hardware security keys (e.g., YubiKey, Google Titan) are a leading recommendation. These keys are physical devices that use public-key cryptography and are inherently phishing-resistant. The user must have the physical key in their possession to authenticate, making it impossible for an attacker to trigger an MFA request from a remote location. While security keys are available for personal use, their management and deployment are most commonly seen and recommended for large-scale enterprise environments where a high degree of security is critical for all employees.
3. Educate, Educate, Educate: Technology alone isn’t a silver bullet. User education is paramount. Employees and individuals must be trained to recognize the red flags of an MFA fatigue attack. This includes:
   • Never approving unexpected login prompts. If you haven’t initiated a login, the request is malicious.
   • Knowing who to contact. Users should know to report suspicious activity to their IT or security team immediately.
   • Understanding the “why.” Explaining the risk of MFA fatigue attacks helps users understand the importance of being vigilant.
4. Monitor for Excessive Requests: Organizations should implement systems to monitor for unusual login behavior. An account generating an excessive number of MFA requests in a short period is a major red flag for a potential compromise. Automated systems can be configured to temporarily lock or flag such accounts for review, stopping an attacker in their tracks.
5. Contextual and Adaptive Authentication: A more sophisticated approach is to implement adaptive authentication. This means the system assesses the risk of a login attempt based on factors like geolocation, device, and time of day. For example, if a user typically logs in from their office and suddenly an MFA request is triggered from a different country, the system could automatically deny the request or require a more stringent form of verification. This reduces unnecessary prompts for low-risk actions, cutting down on user frustration and overall fatigue.

MFA remains a critical tool in the cybersecurity arsenal. However, as attackers evolve, so too must our defenses. By moving beyond basic push notifications and adopting more robust authentication methods like number matching and FIDO2, and by empowering users with proper education and context-aware systems, we can turn the tables on MFA fatigue and ensure that our second factor of authentication remains a shield, not a vulnerability.

Feeling lost in the digital world? Dr. Tom is here to help!